Perturbation Inactivation Based Adversarial Defense for Face Recognition
- URL: http://arxiv.org/abs/2207.06035v1
- Date: Wed, 13 Jul 2022 08:33:15 GMT
- Title: Perturbation Inactivation Based Adversarial Defense for Face Recognition
- Authors: Min Ren, Yuhao Zhu, Yunlong Wang, Zhenan Sun
- Abstract summary: Deep learning-based face recognition models are vulnerable to adversarial attacks.
A straightforward approach is to inactivate the adversarial perturbations so that they can be easily handled as general perturbations.
A plug-and-play adversarial defense method, named perturbation inactivation (PIN), is proposed to inactivate adversarial perturbations for adversarial defense.
- Score: 45.73745401760292
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Deep learning-based face recognition models are vulnerable to adversarial
attacks. To curb these attacks, most defense methods aim to improve the
robustness of recognition models against adversarial perturbations. However,
the generalization capacities of these methods are quite limited. In practice,
they are still vulnerable to unseen adversarial attacks. Deep learning models
are fairly robust to general perturbations, such as Gaussian noises. A
straightforward approach is to inactivate the adversarial perturbations so that
they can be easily handled as general perturbations. In this paper, a
plug-and-play adversarial defense method, named perturbation inactivation
(PIN), is proposed to inactivate adversarial perturbations for adversarial
defense. We discover that the perturbations in different subspaces have
different influences on the recognition model. There should be a subspace,
called the immune space, in which the perturbations have fewer adverse impacts
on the recognition model than in other subspaces. Hence, our method estimates
the immune space and inactivates the adversarial perturbations by restricting
them to this subspace. The proposed method can be generalized to unseen
adversarial perturbations since it does not rely on a specific kind of
adversarial attack method. This approach not only outperforms several
state-of-the-art adversarial defense methods but also demonstrates a superior
generalization capacity through exhaustive experiments. Moreover, the proposed
method can be successfully applied to four commercial APIs without additional
training, indicating that it can be easily generalized to existing face
recognition systems. The source code is available at
https://github.com/RenMin1991/Perturbation-Inactivate
Related papers
- Improving Adversarial Robustness via Decoupled Visual Representation Masking [65.73203518658224]
In this paper, we highlight two novel properties of robust features from the feature distribution perspective.
We find that state-of-the-art defense methods aim to address both of these mentioned issues well.
Specifically, we propose a simple but effective defense based on decoupled visual representation masking.
arXiv Detail & Related papers (2024-06-16T13:29:41Z) - Detecting Adversarial Faces Using Only Real Face Self-Perturbations [36.26178169550577]
Adrial attacks aim to disturb the functionality of a target system by adding specific noise to the input samples.
Existing defense techniques achieve high accuracy in detecting some specific adversarial faces (adv-faces)
New attack methods especially GAN-based attacks with completely different noise patterns circumvent them and reach a higher attack success rate.
arXiv Detail & Related papers (2023-04-22T09:55:48Z) - Understanding the Vulnerability of Skeleton-based Human Activity Recognition via Black-box Attack [53.032801921915436]
Human Activity Recognition (HAR) has been employed in a wide range of applications, e.g. self-driving cars.
Recently, the robustness of skeleton-based HAR methods have been questioned due to their vulnerability to adversarial attacks.
We show such threats exist, even when the attacker only has access to the input/output of the model.
We propose the very first black-box adversarial attack approach in skeleton-based HAR called BASAR.
arXiv Detail & Related papers (2022-11-21T09:51:28Z) - TREATED:Towards Universal Defense against Textual Adversarial Attacks [28.454310179377302]
We propose TREATED, a universal adversarial detection method that can defend against attacks of various perturbation levels without making any assumptions.
Extensive experiments on three competitive neural networks and two widely used datasets show that our method achieves better detection performance than baselines.
arXiv Detail & Related papers (2021-09-13T03:31:20Z) - Demiguise Attack: Crafting Invisible Semantic Adversarial Perturbations
with Perceptual Similarity [5.03315505352304]
Adversarial examples are malicious images with visually imperceptible perturbations.
We propose Demiguise Attack, crafting unrestricted'' perturbations with Perceptual Similarity.
We extend widely-used attacks with our approach, enhancing adversarial effectiveness impressively while contributing to imperceptibility.
arXiv Detail & Related papers (2021-07-03T10:14:01Z) - Towards Defending against Adversarial Examples via Attack-Invariant
Features [147.85346057241605]
Deep neural networks (DNNs) are vulnerable to adversarial noise.
adversarial robustness can be improved by exploiting adversarial examples.
Models trained on seen types of adversarial examples generally cannot generalize well to unseen types of adversarial examples.
arXiv Detail & Related papers (2021-06-09T12:49:54Z) - Removing Adversarial Noise in Class Activation Feature Space [160.78488162713498]
We propose to remove adversarial noise by implementing a self-supervised adversarial training mechanism in a class activation feature space.
We train a denoising model to minimize the distances between the adversarial examples and the natural examples in the class activation feature space.
Empirical evaluations demonstrate that our method could significantly enhance adversarial robustness in comparison to previous state-of-the-art approaches.
arXiv Detail & Related papers (2021-04-19T10:42:24Z) - A Self-supervised Approach for Adversarial Robustness [105.88250594033053]
Adversarial examples can cause catastrophic mistakes in Deep Neural Network (DNNs) based vision systems.
This paper proposes a self-supervised adversarial training mechanism in the input space.
It provides significant robustness against the textbfunseen adversarial attacks.
arXiv Detail & Related papers (2020-06-08T20:42:39Z) - Adversarial Feature Desensitization [12.401175943131268]
We propose a novel approach to adversarial robustness, which builds upon the insights from the domain adaptation field.
Our method, called Adversarial Feature Desensitization (AFD), aims at learning features that are invariant towards adversarial perturbations of the inputs.
arXiv Detail & Related papers (2020-06-08T14:20:02Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.